From owner-freebsd-security Fri Sep 7 14:10:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 49F7437B403 for ; Fri, 7 Sep 2001 14:10:29 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f87LAHH01030; Fri, 7 Sep 2001 17:10:17 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 7 Sep 2001 17:10:16 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities In-Reply-To: <20010907134427.A55600@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 7 Sep 2001, Kris Kennaway wrote: : :I don't know about this one.. we may be. Someone will have to look :into it. In terms of -015 vuln from netbsd: 1) semop: -STABLE (44-RC from 8/28/01) seems to be vulnerable. If we look at sys/kern/sysv_sem.c, we can see that we do: int semop(p, uap) struct proc *p; register struct semop_args *uap; { int semid = uap->semid; int nsops = uap->nsops; nsops, defined from the man page and sysproto.h semop_args structure, is _unsigned_. So, I'd say we are vulnerable to #1. Solution: make the local nsops variable unsigned (size_t might be better?) 2) still need to look into, will follow-up if no one else has when i loo into it 3) same as 2 hpe this helps. *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message